migrate to Log4J 2 to remove vulnerabilities #12
Description
Hi, @simeshev, I stumbled upon a vulnerability introduced by package log4j-1.2.15.jar:
Issue Description
When I build the project, I notice that package log4j-1.2.15 with some vulnerabilities (CVE-2022-23307, CVE-2022-23305, CVE-2022-23302, CVE-2021-4104, CVE-2019-17571) is packaged in cacheonix-core (3rdparty/apache-log4j-1.2.15/log4j-1.2.15.jar). I know that this project may loads log4j in OptionConverter.loadClass(final String className) by classLoader at run time.
Why is the project referencing this third-party library in a dynamically loaded manner instead of using maven for dependency management?
Is it possible to migrate to Log4J 2 to remove these vulnerabilities?
Suggested Solution
Since Log4J 1 has reached its end of life and is no longer officially supported, it is recommended to migrate to Log4J 2.
Maybe you can try to migrate to org.apache.logging.log4j:log4j-core:2.17.1 or higher.
Note:
[email protected](>=2.17.1) has fixed all vulnerabilities.
Of course, you are welcome to share other ways to resolve the issue.
Thank you for your attention to this issue and welcome to share other ways to resolve the issue.
Best regards,
^_^